Cyber and Agents E&O
Cyber Insurance is not a standard coverage, so don’t expect your Standard Market to provide you with the right coverage for your client. The truth is, even the specialty brokers and specialty underwriters are having a difficult time underwriting and brokering this business. All sized accounts are complex and there are now over 70 markets offering cyber coverage with very different policy forms, appetites, and ability to manuscript coverage. The best advice we can give is to engage an expert that has access to many markets and can walk you and your client through the coverages available, or it could be your E&O and your reputation on the line.
Over the last few months we have seen clients file complaints against their broker for failure to place the proper cyber coverage and we have seen retailers file complaints against wholesalers for the same. Below are two examples where the client’s coverage did not meet their expectations. This is not an indictment on those involved, they are just real life examples that demonstrate that is a specialty coverage and needs to be treated that way.
On May 31, 2016, a federal court denied P.F. Chang’s attempt to recover an additional $2 million it paid following a 2013 breach in which hackers obtained and posted online roughly 60,000 credit card numbers belonging to P.F. Chang’s customers.
P.F. Chang’s was insured under a Cyber Policy with Chubb. Chubb marketed the policy as Cyber Insurance solution that addresses the full breadth of cyber risks including “consequential loss resulting from cyber security breaches.”
Chubb did reimburse P.F. Chang’s nearly $1.7 million as part of their claim for injured customers and Issuers. However, when P.F. Chang’s sought reimbursement from Chubb for $2 million in PCI fees and assessments that were charged back to P.F. Chang’s by its credit card service providers Chubb refused to pay contending, among other things, that P.F. Chang’s had no reasonable expectation of coverage for these amounts.
The court granted summary judgment in favor of Chubb. The issue was that the PCI assessments of roughly $2 million were charges incurred by Bank of America and passed on to P.F. Chang’s via a contract. Bank of America itself did not sustain a privacy injury, the consumer was damaged. This highlights the importance of affirmative breach of contract coverage. This is a typical data breach claim – large or small – most would function in this manner. This is often a large portion of a cyber claim for a retailer, so it is critical to get this coverage in order and have it be clear what is covered and not covered.
While the policy was marketed as a full cyber policy, there are so many pitfalls in the policy language out there, you need to be really careful. Without knowing what all the other markets are doing, you cannot know what is best for your client. This needs to be made clear to agents and their clients up front, so expectations can be met. This decision also shows that cyber products are rapidly evolving, so what was standard coverage when this policy was written may be sub-standard coverage today.
Eustis Insurance Co. (retail agent) filed a third-party complaint against wholesale insurance broker, R-T Specialty, Inc. after the broker allegedly failed to properly advise New Hotel Monteleone, Inc. about its cybersecurity exposures and coverage that R-T Specialty was asked to obtain from the market. This was after the hotel filed a complaint against their agent Eustis.
This case represents another example of the exposure that might result from a failure to engage brokers experienced in Cyber where the exposures are very different from standard coverages.
Hotel Monteleone experienced a cyberattack in 2013, and after the attack, the hotel approached Eustis and requested a cyber insurance policy that would afford coverage for this type of loss going forward. Eustis engaged R-T Specialty to assist. R-T Specialty touted itself as having cyber expertise and as well as a team devoted to cyber coverage.
R-T Specialty procured a cyber policy issued by Ascent on Lloyd’s of London paper. The Ascent Policy purported to cover the types of exposure the hotel experienced following the 2013 cyberattack. The Ascent Policy contained general limits of $3 million, but coverage was limited significantly for amounts that constitute fines or penalties. At no time did R-T Specialty inform Eustis that fraud recovery and operation reimbursement might be considered to be a fine or penalty, or that amounts assessed for fraud recovery and operational reimbursement might be subject to the policy’s Payment Card Industry Fines or Penalties Endorsement and its $200,000 sublimit.
In October 2014, Hotel Monteleone again was the victim of a cyberattack, subjecting the hotel to fraud recovery and operational reimbursement exposures in excess of the Ascent Policy’s sublimit. It was then they found out that coverage would be limited to the $200,000 sublimit for PCI Fines, Penalties, and Assessments. The hotel has sued their retailer Eustis and Lloyd’s. The retailer has in turn sued RT. We will keep you posted on these developments, but again this highlights the importance of working with a specialist who has knowledge in this space.
PCI Fines, Penalties, and Assessments are a huge exposure for anyone taking credit card numbers, and when you sign a contract or agree to the terms and conditions to accept credit card payments you are giving up all of your rights. When you have a credit card breach, you will face fines, penalties and assessments. Much of that will be a contractual obligation that should be covered by your insurance. PCI assessments are generally made up of all the fraudulent charges made as a result of the breach and the cost to re-issue credit cards and are passed back to the end retailer that had the breach.